Health care facilities are trying to get a handle on introducing and managing mobile devices in their facilities, but are finding it difficult to keep their data safe. If the loss of unencrypted laptops with confidential patient data has not already earned a facility a place on the Department of Health and Human Services (DHHS) wall of shame, the risk of data being accessed and stolen internally is sure to follow.

So far, over 25 health care facilities and associated businesses have been embarrassed this year by the August 2009 Breach Notification Rule included in the Health Information Technology for Economic and Clinical Health (HITECH) Act – where facilities and businesses are required to notify the appropriate agencies that a data breach has occurred which compromised the protected health information (PHI) of 500 individuals or more. A significant amount of breaches listed on the DHHS site include lost or stolen laptops and unauthorized access or hacking of the network.

The latest occurrence was the loss of a laptop in a doctor’s office in Miami FL, where 1,137 patient’s PHI was exposed. One of the largest incidents reported last year was AvMed, Inc.’s report of two unencrypted laptops stolen from a conference room, which contained names, dates of birth, addresses, social security numbers, and personal health information of nearly 1,220,000 patients. According to the U.S. Department of Homeland Security’s (DHS) National Cybersecurity and Communications Integration Center “poor physical security protective mechanisms or operational security awareness make it easy for thieves. In addition, lack of hardware encryption allows thieves direct access to all data stored on the device”[1].

In addition to weak physical security, internal access controls, and weak passwords, the DHS has found increased vulnerabilities in mobile devices that contain commercial operating systems, which are vulnerable to malware and viruses. This includes not only mobile devices connected to the network, but all mobile devices used by the organization. When the device is connected to both the internet and the hospital network, it poses a higher risk for breaches. Devices are vulnerable to cyber attacks that can take advantage of software vulnerabilities, lack of software patches, firmware vulnerabilities, and wireless connections – which could open the capabilities to gain access to the health care network. An example is the doctor’s of the University of Chicago’s use of iPads that were affected by a vulnerability in the Apple IOS, where malware was found affecting iTunes users who connected their iPads to Windows operating systems. Backdoor. Bifrose.AADY allowed remote control access by a third party and “pulled serial numbers and read passwords for different programs including POP3 email and any protected storage”[2]. Malware related threats to computers on the network can occur when PHI data is synced and transferred with improperly configured mobile devices, introducing a new avenue of malware transfer.

The result of PHI exposure becomes a violation of HIPAA regulations which monetary penalties; reputation damage; public embarrassment; lawsuits; and possible loss of the medical practice or business can occur. Additionally, the patients who were involved in the incident can face both identity theft and the use of their personal data being sold on the black market.

There is no silver bullet in completely eliminating the risks of mobile devices on the network. However, there are ways to reduce the risk of exploitations, while performing due diligence to minimize penalties and lawsuits resulting from HIPAA/HITECH violations. The best approach is always a solid evaluation of an organization’s information security program. It is absolutely vital that a security program not only include identifying, assessing, and remediating high risk areas, but to ensure that all controls – technical, administrative, and physical – are working in synchronization to create a holistic security program. These three components must integrate seamlessly in order to eliminate gaps in security. Gaps in security controls can easily lead to vulnerabilities.

The benefits of using a security consulting firm are endless. Not only can they become a strategic partner in an organization’s efforts to maintain compliance, but they can also provide all of the components that would otherwise be inaccessible – which can include the cost of finding and maintaining staff with years of expertise; in-depth knowledge of current health care IT regulations; contracted IT staff with current technology skills; and most importantly, objectivity. Hackers, as well as internal and external threats are always one-step ahead of the security industry – making it impossible for security administrators to stay on-top. However, minimizing threats, continuously updating their holistic security programs, and utilizing the expertise of security consultants can make a difference.

As technology use increases due to people using computers and Internet access for business and personal reasons, there has also been an increase in malicious software (or “malware”). Malware is most known for its ability to wreak havoc on both a user’s computer and the network that it has infected.

While some problems caused by malware infection often include such annoyances as computer and network slowness, more serious problems include network breaches facilitated by malware on company computers.

Types of Malware

There are several types of malware, the most common of which are viruses, worms, trojans, and rootkits.

Viruses and Worms: Both viruses and worms are infectious, which means that they can and will spread to other computers. Viruses spread when they are accessed or run, while worms can spread without additional user intervention.

Trojans and Rootkits: These are malware programs that conceal their true identity. Trojans are usually embedded in another program and are installed by a user who does not realize what they are installing is harmful. Rootkits are a means of hiding the malware from the user. A rootkit allows the program the ability to continue by either hiding within the operating system or by thwarting attempts at removal if detected.

How Malware Gets In

Malware can be introduced into a network in a number of different ways. Users are often unaware that they have allowed malware onto their computer and network until it is too late. Common infection scenarios include downloading e-mail attachments from an unknown source, downloading files on the Internet, or visiting untrusted websites.

To ensure and protect the integrity of your network, you need to reduce the threat of malware. Here are some tips to help:

Install an antivirus program that runs in the background on all your computers. While not fool-proof, an antivirus program is a great way to protect against known viruses

Instruct users not to open email attachments from an unfamiliar source. This is a simple way to protect your network from malware.

Limit the sites that users are able to access using a firewall. Certain websites (including illegal software, music download sites, and adult websites) are much more likely to have malware lurking in their coding.

Place strict limits on what can and cannot be downloaded from the Internet. Defining what can be downloaded can greatly reduce your business’s risk of being infected with malware.

Consider reducing the privilege level of users on their individual computers. Many malware programs require administrator level access to make malicious changes to a hard drive, but most user applications do not need this high level of access.

The most common misunderstood term seen in the security industry is Risk Management. If you Google the term “Risk Management”, you will find yourself buried in a pile of information ranging from financial risk management to business risk management. And if you happen to fall upon the actual security risk management concept, you may come across a blog post, or online article describing risk management incorrectly. Even when speaking with some corporate decision makers (and some IT professionals), the security term risk is often used interchangeably with other terms such as vulnerability and threat. I have seen vendors marketing tools that were for “Risk Management” but in reality, they were vulnerability management tools. I can truly understand why education must be made a priority when talking to decision makers prior to discussing a risk management assessment.

The terms risk, vulnerability and threat are three separate terms that work together:

1. Vulnerabilities – are holes and weaknesses in an organization, which are typically the easiest to find and remediate, usually through penetration and vulnerability tests.

2. Threat – is the possibility that something or someone will find out about the vulnerability and exploit it.

3. Risk – is the probability that a threat can become real, resulting in some form of impact on the business, should that vulnerability become exploited – the unanswered question is how badly will it hurt the organization. This is usually the hardest to calculate.

Some companies think they have a risk management program already in place, but due to the misunderstanding of terminology, will actually have a vulnerability program in place. I have had some companies actually refer to their traditional Enterprise Risk Management (ERM) program when asked if they had a risk management program in place – which is completely different from any security program. ERM includes credit, liquidity, regulatory compliance, and market risk, as well as risk transfer strategies, capital management, and strategy development. However, a solid IT Security Risk Management Program should be an integral part of a holistic ERM – which will cover the organizations risks more efficiently and effectively. After a brief explanation between the differences of the terms, it is quickly understood that their misunderstanding may have caused them to fall short in implementing a solid risk management program. Additionally, if the risk management program does not include and address all of the layers of the organization that can contain threats – such as administrative, technical, physical, operations, tactical, and strategic - it is not a risk management program.

Risk Management can be both complex and time consuming. The need to understand business, capital, and human resource issues, as well as management levels are critical during assessment – rather than looking at it solely through a technical perspective. An organization must attempt to read the future, determine what can happen, and how much it can cost.

Risk management should not solely rest on the shoulders of the CSO. It should be a collective effort by including decision makers and department heads throughout the entire organization that are knowledgeable and able to contribute to the process. Not only are they able to fully understand their department and the risks that take place – which are not just technical risks – they are also effectively positioned to enforce the plan, as well as assist in making changes to the culture of the organization starting within their department.

During the assessment, a tremendous amount data will be gathered and the current security component, as well as the business issues than can be affected by the current security in place, will be reviewed. Vulnerability and penetration tests will reveal what needs to be protected and how, and interviews with staff will provide information on gaps in policies and procedures. This process will allow organizations to learn their acceptable risk levels – which will tell them how much security they actually need. An organization’s policies should reflect acceptable risk levels in order to implement the right amount of security.

You can’t address all of your risks, and in many situations, it would not be necessary to do so. Once you associate the vulnerability with the threat, and how that threat can affect the business, this will clarify how to manage your risk. The vulnerability that has the highest threat and will cost the company the most if exploitation occurs will be the order in which risk should be managed.

Understanding what risk management truly is continues to be the best strategy in properly assessing your organization the first time around, which will save you money in the long-term. When this concept is not fully understood, organizations find themselves either spending too much money on security, or not enough money – yet still lacking the right countermeasures implemented for tangible and intangible assets or controls that actually need risk management.

With all of the statistics, comprehensive data, and war stories shared from security officer to security officer, I often wonder what is behind the thought process of decision makers declining assistance in implementing a cyber security risk assessment – especially organizations that clearly need it for compliance reasons.

I speak with many technology decision makers of fairly large companies regarding implementing a free cyber security risk assessment for their infrastructure. If I had a dollar for the amount of individuals within these organizations who believed that the assessment done over 2 years ago makes them prepared for the black hat techniques that advance faster than the pace of white hat security initiatives, I could hang up my coat and retire. There is a false sense of security that is prevalent in companies both large and small that believe if they were not significantly compromised in the last 3 or 4 years, their risk and compliance practices are consistent or above average with best practices in their industry. According to Economist Intelligence Unit Survey, “Ascending the Maturity Curve, Effective Management of Enterprise Risk and Compliance”, at least 87% of respondents agreed with this notion.

However, it is recommended that a review of an organizations security program should be done a minimum of every 2 years. And it is not only to their advantage to outsource this task to a reputable security consulting company in order to provide an objective point of view, something that is difficult to accomplish in-house, but to also use a different consulting company to continue to gain a different perspective each time. Rotating security consulting companies provides the opportunity to catch risks that may have been missed previously.

Although the financial services field was found to be most likely to have this false sense of security, the health care industry is barely on the map. The health care industry is just now beginning to embark on discovering a consistent risk assessment standard. Standards are underdeveloped as to how assessments and vulnerability remediation should be completed. Although HIPAA developed a requirement, a lot is left for interpretation. Unfortunately, this results in spotty assessments, or horrifically, no assessments done at all.

That’s why I scratch my head at a decision maker who turns down a free risk assessment. They have the opportunity to find out – utilizing a fresh pair of eyes – what may be exposed in their organization…for free. Addressing the risks, of course, is another subject. So, the next time you receive that call from a reputable security consultant about evaluating your risk assessment program that was implemented more than a year ago, reconsider. Hackers are not waiting every 2 years to develop new ways to crack you network – they are advancing each day.

Ensuring the security of your business network should be a priority for any company. Because so much work is done on your computer, storing files with important customer information and company secrets, it is crucial that a business protect that information as well as it can. Here are ten easy-to-implement tips for protecting the security of your network:

Do not let unknown users use your computer network. All users should be authenticated with a login and password assigned by a domain administrator who has verified the identity of the user.

Educate users on safe password creation and handling. Because some users find passwords easy to forget, some may try to use easy to remember dictionary words or even their own names. Some users may even write down their passwords in an easy to find place. This creates an opportunity for someone to steal a password and compromises the security of your network.

Require users to change their passwords at least every 90 days. The more a password changes, the less likely it is to be useful if stolen.

Limit the number of failed logins that can be tried before the system locks the user out. Password crackers often try different passwords at high speed. By limiting the number of failed logins, you can lock a potential intruder out.

Never set up an unsecured wireless network at your company. If your business has a need for a wireless network, make sure that the wireless network is secured and that unauthorized users are not able to access it.

Educate users on opening e-mail attachments. If a user receives an attachment from an unknown source or from a strange email, they should delete it. It could be a malware program that can create back doors to your network and breach your network security.

Use antivirus programs and be sure to keep them up to date. Antivirus programs can detect and eradicate various malware threats.

Restrict the websites to trusted sites only for your users to browse. Malware is often downloaded unknowingly from untrustworthy websites, especially illegal download or adult websites.

Restrict the types of programs that can be downloaded onto your user’s computer. Users may download malware in the form of a trojan or a worm without realizing it.

Consider restricting administrator access on your desktop computers. Most users and applications do not need administrator access on their computers and can work just fine with regular user access.

Although having an IT consultant can help you to limit damage if your network security is breached, this is one case in which prevention really is worth an ounce of cure. By creating a secure network ahead of time and working with your employees to implement safe practices, you can avoid damage or lost productivity before it occurs.

These days, travel and computer use almost go hand-in-hand. Whether you’re carpooling across state or you’re flying internationally for business, almost all companies have some sort of ties to the mobile workforce.

However, Internet access tends to be rather sketchy on the road. Unless you’re able to supply your computers with wireless capabilities through a 3G network or other mobile routing system, it may be difficult for employees to send large files or share information from a remote location.

These days, car companies and airlines are stepping in to provide mobile Internet access. Automobile makers like BMW offer computers as a part of their more luxury vehicles. These computers have in-vehicle Internet access as long as you’re within range of their network. Airlines are also offering onboard Internet access, as long as you’re seated in one of the equipped stations (usually in business or first class) and you pay the appropriate fee.

Like most advances in technology, it’s only a matter of time before these types of services are offered more universally. Although they come at an added expense right now, experts estimate that most people will have more mobile Internet options within the next five years.

If your business is on the cutting edge of technology, it might be worthwhile to invest in these types of “on the road shortcuts” right now. However, if you’re content to wait, you can tap into netbooks and PDAs as a way to provide a little more connectivity until the rest of the technology catches up.

Almost all personal computers and business hardware has anti-virus software as a way to keep viruses and other malware sources at bay. The reason is simple: it’s easy to install, easy to update, and easy to use.

However, in the business world, just installing the anti-virus software isn’t enough. In order to keep your data secure and your client information confidential, you must follow up to ensure that the software is being used to its maximum potential.

Regularly update all of your software – even ones that aren’t related to information security in any way. Viruses are usually developed to get into operating systems and programs that are outdated or otherwise weak. When a software update is offered, it’s usually because the programmers have found a way to make it more secure (and usually easier to run, too).

Keep an eye on your employees. Although it isn’t always deliberate, the number one cause of viruses on work computers is employees who accessed unsafe sites or opened an email they shouldn’t have. Whether you need to restrict Internet access, train employees on Internet safety, or instill a new policy into your company manual regarding computer use and viruses, you should always make sure your staff knows the rules regarding viruses and information security.

Put up protection behind the protection. No matter what business you’re in, anti-virus software simply isn’t enough. Your company’s reputation and your customers’ safety is dependent on your network being a safe, secure place that keeps viruses and other sources away from sensitive information. Sometimes, this means hiring an IT vulnerability manager to help you overhaul your entire network, and other times it means taking steps to improve policy management.

When it comes to viruses and other types of malware, IT solutions don’t always have to be complicated. Sometimes, it’s the small steps (anti-virus software, employee training, limited Internet use) that can have the biggest impact on your information safety measures.

If your business is getting ready to set up or install an IT disaster recovery plan, make sure you cover all the bases. Few companies are able to fully recovery from the loss of data or significant downtime, so this is one type of safety net you simply can’t do without.

Monitor and/or update your disaster recovery plan regularly. The business world and the Internet are both like living, breathing organisms – they change and adapt daily. This means that a disaster recovery plan put in place six months ago might very well be obsolete by the time the unthinkable occurs. Whether you rely on automated monitoring, regular back-up data storage, or an actual physical update of your system, it’s a good idea to include regular updates into your planning and your recovery budget.

Test the system regularly. Although this is technically part of the monitoring step, it’s a step that 9 out of 10 companies fail to do. But if there are weaknesses in your disaster recovery plan, you might actually be worse off than if you had no plan at all. That’s because you and your team will go through your recovery efforts under the assumption that you were safe from the more pressing issues, and you might fail to perform the most basic – and necessary – steps.

Keep data stored somewhere else. Whether you keep your backed-up data stored physically off-site or you use offshore storage for all your information needs, having the information away from your own system is the most important thing. This back-up data will need to be updated regularly, according to your recovery point objective (or how reliant your business is on having the most recent data possible).

Protect the hardware that goes home. If you have laptops that employees take home for work use, you need to install the laptops with theft recovery and data delete options. The top-of-the-line options will be able to return all the necessary information to you and still disable the computer so that the thief can’t get access to the same data.

Consider hiring someone to do the disaster recovery planning for you. Whether you are a small business without an IT department or a large business whose data planning needs span entire departments and cross-country facilities, this is one area where it doesn’t pay to cut corners.

It doesn’t matter whether you’re seeking protection against the physical damages of flood and fire or the more pervasive damages of a system that has been infiltrated by hackers – disaster recovery planning is necessary for any business. However, because the scope of potential threats is so large – and because there are so many kinds of threats you may not have even realized – it can be a daunting task to undertake.

Before you do any disaster recovery planning, it’s important to prioritize what’s important for your business. No two disaster recovery plans are alike, and the only way to minimize your own damages is to act accordingly.

Some of the questions you’ll need to ask yourself include:

What are the most likely worst-case scenarios? (For example, if you are located in a flood plain, you may need to place a greater focus on keeping physical damages to a minimum. If your company deals with a large amount of personal data, keeping your customer’s information safe might be the most important thing.) How can these be prioritized to streamline the disaster recovery planning stage?

What do you need to keep the business running in the event of a disaster? Do you need email? Phones? Access to backed-up data on the system? Alternate computers or technology?

What liabilities might you be facing? If your network is infiltrated by hackers, what are the legal ramifications for your company? How much of an effect will this have on your company reputation and your bottom line?

How long can your system be down without causing you to go bankrupt? (For example, if you experience a denial of service attack or you simply can’t access your system for a few days, how prepared is your company to “weather the storm?” Do you have access to emergency funds or an alternate way to keep business running?)

Is your data somewhere safe? Imagine that you’ll never be able to get your system back up and running again. Do you have backed up data located somewhere where it won’t be damaged?

What sort of information sharing system do you have in place? Employees and administrators will need to be kept appraised of the disaster and its recovery efforts. A way to contact everyone is important in making sure that things continue to run as smoothly as possible.

How are you going to let your customers know about the situation? Nothing is more irritating to a customer or client than being unable to access your company (either online or in person). If your system is going to be down, or if you need to send out notifications of an information breach, you must have a way to get in contact with all of your customers.

No one likes to think that a disaster can happen to them. However, most businesses will experience some sort of an information emergency during operations. In order to successfully get your company back up and running, it’s important to plan ahead.

Last week, we discussed the benefits of a vulnerability patch management plan in boosting information security on a company-wide level. From IT policy development to network restructuring, there are countless reasons to integrate vulnerability patch management.

Once you decide to start working with an online or local IT consulting firm, you will most likely go through the following steps:

Inventory and Assessment: Not only will your IT consultant assess the strength of your current system from an operating standpoint, but he or she will also inventory the resources you have in the form of hardware, software, bandwidth, and even the employees you can rely on. All of these factors weigh in on the strength and viability of your system.

Monitor and Identify Threats: Using the inventory you currently have (or using new additions based on your consultant’s recommendations), you will begin a monitoring program that finds weaknesses and emerging threats. This may be automated, or it may be part of your consultant’s plan. In either case, you should be able to tell where to put your focus for moving forward.

Move Forward: This includes prioritizing the vulnerabilities, creating a database of solutions based on the prioritization list, and actually implementing the patches. It doesn’t matter whether you immediately apply the patches or if you spread them out over a period of time, this is the point at which you develop a long-term solution to see you and your company through the next few years.

Begin Automation: Making vulnerability patch management a regular part of your business means relaying the appropriate information to administrators and setting up an automated detection patch deployment system. In many cases, this will include training your IT staff on how to read the vulnerability scan results and how to apply solutions before they become liabilities in your business.